This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 89%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
Does NDES (Network Device Enrollment Service) service account will support for Kerberos AES 256 bit encryption? if we enable AES256 encryption will it cause any problem for Intune deployment?
Hello @Bab bab
Thank you for your post.
I would suggest you to go through the following articles shown below:
Looking forward to your feedback,
Best Regards,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Bab bab , In the first article which ricardosolisvillegas provided, it says that the NDES account as gMSA or Domain user accounts: enforce AES encryption.
Then I go to do test in my SCEP environment with NDES, enable "This account supports Kerberos AES 256 bit encryption" on NDES service account. And find the SCEP certificate request from Intune profile can still works. I can still get the certificate.
So I think it supports.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Bab bab , Hope things are going well. I am writing to see if there's anything else we can help. If yes, feel free to let us know.
Hi there,
I suspect that it is not recommended to use the configuration as you have stated.
NDES gets involved in verifying the certificate request, as it is acting as a Registration Authority (RA) and an endpoint for SCEP-based communication.
This article describes the best practices, location, values, and security considerations for the Network security: Configure encryption types allowed for Kerberos security policy setting.
https:// learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos
---------------------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--